The update appeared earlier today, and while we haven’t been able to confirm that it’s authentic, it has set off a storm in security circles, on Hacker News, and over at Ars Technica. Even though the encryption tool hasn’t seen a major uplift in ages, TrueCrypt had recently just passed the first stage of a comprehensive security audit without issue. The sudden warning came as a surprise—one that a number of commenters around the web have assumed must be the work of a compromised SourceForge account or a rogue site admin. If the warning is legitimate, it might be time to migrate your encrypted files to another service or tool.

Either way,do not download the version of TrueCrypt listed on the site right now. It was compiled yesterday, according to security researcher Runa Sadvik, using a questionable DSA key. It may be compromised along with the TrueCrypt Sourceforge page.

Similarly, the posted version of TrueCrypt appears to be heavily modified, with critical features removed and a heavy dose of “INSECURE_APP” sprinkled through the code. Even so, it was certified with the official TrueCrypt signing key, which leads us to believe this might be the real thing. Ars Technica notes:

The SourceForge page, which was delivered to people trying to view truecrypt.org pages, contained a new version of the program that, according to this “diff” analysis, appears to contain changes warning that the program isn’t safe to use. Significantly, TrueCrypt version 7.2 was certified with the official TrueCrypt private signing key, suggesting that the page warning that TrueCrypt isn’t safe wasn’t a hoax posted by hackers who managed to gain unauthorized access. After all, someone with the ability to sign new TrueCrypt releases probably wouldn’t squander that hack with a prank. Alternatively, the post suggests that the cryptographic key that certifies the authenticity of the app has been compromised and is no longer in the exclusive control of the official TrueCrypt developers.

Update: Security expert Brian Krebs has a great roundup of the situation on his blog, and notes that while the tone and language used in the warning on the project’s SourceForge site is curious at best, the project’s hosting, domain registration, and WHOIS information hasn’t changed recently—unusual for a simple site hack.

Sponsored

Right now, it’s looking more like the changes are either intentional action on the part of the TrueCrypt team (a scorched earth approach to ending the project, either due to the pressure or exposure brought by the audit, because of some outside influence, or internal strife) or someone on the TrueCrypt team decided to flip over the metaphorical table, and because all of the developers are anonymous, there’s no way to be sure.

Update: Security expert Steve Gibson summarized the current situation on his blog late yesterday, and included a few new tidbits of information. First, the security audit of TrueCrypt will likely continue, using the 7.1a version that’s safe to download—and he has download links to the safe version on his site. The team performing the audit plans to continue and issue their finalized report in a few months—likely by the end of the summer. By then, we’ll know if anything turned up that would have caused all of this.

Advertisement

Advertisement

Second, the abrupt changes and warning on their site haven’t gone away, so it’s fair to assume that this wasn’t a rogue hack, and instead a deliberate act on behalf of at least a few of the all-anonymous TrueCrypt development team. Steve notes Steven Barnhart reportedly got in touch with one of the developers using an email address he’d used in the past, and got a response from a developer named “David” that explained some of why they shut the project down this way—according to a Twitter conversation he had with Matthew Green:

TrueCrypt Developer “David”: “We were happy with the audit, it didn’t spark anything. We worked hard on this for 10 years, nothing lasts forever.”

Steven Barnhart: (Paraphrasing) Developer “personally” feels that fork is harmful: “The source is still available as a reference though.”

Steven Barnhart: “I asked and it was clear from the reply that “he” believes forking’s harmful because only they are really familiar w/code.”

Steven Barnhart: “Also said no government contact except one time inquiring about a ‘support contract.’ “

TrueCrypt Developer “David”: Said “Bitlocker is ‘good enough’ and Windows was original ‘goal of the project.’ “

Update: TrueCrypt’s security audit is finally completed, and nothing earth-shattering was uncovered. A few issues that could be exploited in very specific situations and attack scenarios were identified, but there were no issues that would explain why the TrueCrypt development team would suddenly abandon the project. You can read more—and see the whole report, here.